Featured image of post HTB - Cap Writeup
CTF Writeup

HTB - Cap Writeup

HTB - Cap

HTBCapLogo

Target: 10.129.22.131

Enumeration

We began our enumeration with an Nmap scan to identify open ports and services. The scan revealed three open ports: 21 (FTP), 22 (SSH), and 80 (HTTP).

NmapScanResults

We attempted to log in to the FTP service using anonymous credentials, but the attempt was unsuccessful.

FTPAnonymousLoginAttempt

Visiting the web server revealed a security dashboard. We don’t much also from IP Config and Network Status tabs

WebDashboard
WebDashboardPage2
WebDashboardPage3

We ran feroxbuster in the background to enumerate directories and files while manually exploring the web application.

FeroxbusterScan

While inspecting the navigation bar, we noticed a IDOR Vulnerabilities on Security Snapshot link with a URL ending in /4. By manipulating the URL (e.g., changing to /0), we discovered other downloadable PCAP files.

PCAPFileDiscovery

Exploitation

Nathan Credential Discovery

Analyzing the PCAP file we download from /0 in Wireshark, we identified an FTP login attempt with plaintext credentials.

PCAPFTPLogin
PCAPFTPCredentials

Following the TCP stream, we extracted the credentials:

  • Username: nathan
  • Password: Buck3tH4TF0RM3!
PCAP Credential Extraction

Gaining Access

Using the credentials nathan:Buck3tH4TF0RM3!, we successfully logged into the FTP service and retrieved the user.txt flag.

FTPLoginSuccess

The same credentials also granted access to the system via SSH.

SSHLogin

Privilege Escalation

During enumeration on the system, we discovered that python3.8 had capabilities that could be abused for privilege escalation.

privesc1

### What is Capabilities in Linux ?

Linux capabilities break down the full privileges of root into smaller, fine-grained permissions (e.g., CAP_NET_BIND_SERVICE, CAP_SETUID, CAP_SYS_ADMIN). Instead of giving a binary full root rights, the system can assign only the capability it needs.

However, if dangerous capabilities are set on interpreters (like Python), they can be abused for privilege escalation. For example, if Python has CAP_SETUID, an attacker can change their UID to 0 and spawn a root shell.

You can list file capabilities with:

1

getcap -r / 2>/dev/null
PrivilegeEscalationStep2

We executed the following command to gain a root shell:

1

python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'
RootShell

This command leveraged the setuid capability to escalate privileges, granting us root access and completing the challenge.

Loot

Credentials

  • Username: nathan
  • Password: Buck3tH4TF0RM3!

Flags

  • User Flag: Retrieved via FTP.
  • Root Flag: Obtained after privilege escalation.
comments powered by Disqus
© 2020 - 2025 TamaGorengs
Built with Hugo
Theme Stack designed by Jimmy